The complete BitLocker encryption guide for Windows PCs

Data encryption is critical. Whether you’re using a PC provided by your employer or working from your own personal computer, encryption ensures that thieves and anyone else who might get their hands on your PC can’t view any sensitive private data.

Storage encryption can be complex on Windows PCs. This guide will tell you everything you need to know, including the difference between traditional BitLocker encryption and new “Device Encryption,” how to ensure your PC’s data is safe, and how to encrypt removable devices — just in case.

I’ll also explain what you need to know about recovering from BitLocker encryption errors. When the CrowdStrike meltdown occurred, many people booted their PCs only to see a blue screen that demanded a BitLocker recovery key. Hopefully, this won’t happen to you. In case it ever does, you should be prepared.

Want more Windows PC tips? Come check out my free Windows Intelligence newsletter for three new things to try every Friday and a free in-depth Windows Field Guide e-book (a $10 value).

What is BitLocker?

BitLocker is Microsoft’s storage encryption technology. First introduced in Windows Vista, it’s still part of Windows 11 and Windows 10 today. BitLocker is designed to encrypt entire volumes. In other words, BitLocker is designed to encrypt entire partitions on your hard drive.

When activated, BitLocker stores your PC’s files on disk in an encrypted manner. Think of them as being stored in a “scrambled” form — a thief can’t just pull your PC’s storage drive out and access your files. They’ll need the encryption key to access them.

BitLocker is often configured to function in “transparent” mode, automatically unlocking itself when you boot your computer. This uses the TPM (Trusted Platform Module) hardware in your computer to unlock the drive. The TPM stores the encryption key and provides it only if the Windows operating system doesn’t appear to have been tampered with.

This technology is a critical way for businesses to secure their company’s data. That’s why businesses will often enforce BitLocker usage on their managed PCs. But it’s also a useful way for individuals to secure their personal data. If someone does get their hands on your laptop, they won’t be able to access the files without the key. Even if they boot the laptop up, they’ll need to sign into your Windows user account to access your files.

If you ever have an issue with BitLocker, you will be asked to provide a BitLocker recovery key. If you set up BitLocker yourself, Windows prompted you to store it somewhere safe. If you set it up through your workplace, they have a copy. A copy will be stored with your Microsoft account in some situations, too.

BitLocker vs. Device Encryption: What’s the difference?

Back in the Windows 7 days, BitLocker was only offered on Professional, Enterprise, and Education versions of Windows. The average PC running a Home version of Windows didn’t have access to a built-in storage encryption technology.

That’s somewhat true today. The full version of BitLocker, also known as BitLocker Drive Encryption, is only available on Professional versions of Windows and higher. If you’re an individual who wants access to the full BitLocker set of tools on your PC, you’ll have to pay to upgrade to the Professional edition of Windows 11 (or Windows 10) if your PC came with the Home edition.

However, starting with Windows 8.1 and carrying on to Windows 10 and Windows 11 today, Microsoft began offering something called “Device Encryption” or “BitLocker Device Encryption.” This technology uses BitLocker under the hood. It doesn’t offer the full set of BitLocker configuration options, though, and it only works if a PC has the right hardware — a TPM 2.0 chip, for example, which is one of the hardware features officially required for Windows 11.

Device Encryption is designed to “just work” on the average modern PC. It only works if you sign into Windows with a Microsoft account or a work or school account. If you do, Windows will automatically activate Device Encryption (assuming your PC has the right hardware), protecting your files with encryption.

Since you’ve signed in with a Microsoft account, a work account, or a school account, Windows will back up your BitLocker recovery key to your Microsoft account — or your employer’s or school’s systems. This ensures the average PC user will have a way to access their recovery key if they ever have an error.

For the average person, that Microsoft account requirement is something to be aware of. If you choose to sign into your PC with a local user account, you won’t be able to use Device Encryption. For optimal security, you will want to sign in with a Microsoft account or pay for a Professional edition of Windows and use the full BitLocker experience.

How to check if your PC’s storage is encrypted

For these methods, you’ll want to be signed into Windows with an Administrator account. The options may not appear if you’re signed in with a Standard user account.

To check for Device Encryption on Windows 11, open the Settings app, select “Privacy & security,” and then click “Device encryption” under Security. If Device Encryption is active, it will be set to “On.”

The Settings app will only show a “Device encryption” option if your PC supports it.Chris Hoffman, IDG

On Windows 10, open the Settings app, select “Update & Security,” and click “Device encryption” in the left pane. If Device encryption is active, you will see a message saying “Device encryption is on.”

If you do not see a “Device encryption” option in the Settings app at all, your PC doesn’t support it — or you’re signed into Windows with a Standard user account.

If your PC has Device Encryption, the only option is to turn it “On” or “Off.”Chris Hoffman, IDG

You can also look in File Explorer. Look under “This PC” and check the icons for each drive in your computer. If you see a padlock in the drive’s icon, it’s encrypted in some way — either with BitLocker Drive Encryption or with Device Encryption.

Windows will show a lock icon next to encrypted drives.Chris Hoffman, IDG

You can control BitLocker options and see whether a storage device is encrypted by opening the classic Control Panel window, selecting “System and Security,” and then clicking “BitLocker Drive Encryption” or “Device Encryption.” You will see one of the two options here, depending on which technology your PC has.

BitLocker Drive Encryption offers more options than Device Encryption.Chris Hoffman, IDG

How to encrypt a removable drive

If you have a PC with the full BitLocker Drive Encryption experience — not the Device Encryption feature found on Home editions of Windows 11 and Windows 10 — you can also encrypt removable storage devices. This uses a feature called “BitLocker To Go,” and it can be used with USB flash drives, SD cards, and external hard drives.

To do so, open the Control Panel, click “System and Security,” and select “BitLocker Drive Encryption.” You’ll see an option to encrypt a removable drive under “Removable data drives.”

How to find your BitLocker recovery key

BitLocker should normally “just work.” Most people will hopefully never see a BitLocker recovery key blue screen at boot. However, CrowdStrike’s extreme failure caused this screen to pop up on millions of PCs. It may also be caused by a hardware problem or if you need to pull a storage drive from one computer or access it on another.

In this case, you’ll need your BitLocker recovery key. If you use a device managed by your employer or educational institution, your work or school systems will have the recovery key backed up, and you can request it from them.

If you sign into your PC with a Microsoft account and Windows automatically enabled Device Encryption, you will need to access it from Microsoft. Visit Microsoft’s BitLocker recovery key page and sign in with your Microsoft account to find it.

If you set up BitLocker Drive Encryption yourself, Windows prompted you to save and store a recovery key as part of the setup process. You may have printed it on a piece of paper or stored it on a USB drive.

If your PC is working fine, you can also create a backup copy of your recovery key at any time. To do so, open the Control Panel, click “System and Security,” and select either “BitLocker Drive Encryption” or “Device Encryption.” From this window, you’ll find links to back up a copy of each drive’s recovery key.

Microsoft has a detailed guide on finding your BitLocker recovery key. If you’ve lost all copies of the recovery key and your PC is asking for it — this may happen if you set up BitLocker yourself on a personal PC and then didn’t print the recovery key or lost your backup copies of it — you won’t be able to access the files on your PC. You will have to restore your files from any backups you might have.

What about VeraCrypt and TrueCrypt?

If you’d like to encrypt a Windows PC’s storage but you don’t want to use BitLocker for some reason, you can turn to an open-source alternative. This was more common before Windows offered built-in Device Encryption on modern PCs, as people with Home versions of Windows could encrypt them using this software without paying to upgrade to a Professional edition of Windows.

Years ago, TrueCrypt was the go-to solution for this. The TrueCrypt project shut down in 2014, warning that the software was “not secure as it may contain unfixed security issues” and recommending Windows PC users switch to BitLocker.

The nature of these alleged security issues was never fully explained. The successor, VeraCrypt, took the project’s code and built on it, fixing security issues and continuing to develop it. The code has been independently audited, and issues found were fixed. If you are going to use an open-source drive encryption tool on Windows, you should likely go with VeraCrypt.

I recommend most people use some form of BitLocker — BitLocker Drive Encryption or Device Encryption — if possible. BitLocker is integrated with Windows, and it should work well. You are more likely to experience data loss or other problems or incompatibilities with a third-party solution like VeraCrypt.

Everyone should have encryption

Ultimately, basic storage encryption is a necessity on any modern PC — unless you have a desktop PC that stays locked up in a secure office, perhaps. But the average laptop needs this feature for data security. A lost laptop shouldn’t be a major data security concern, whether you’re using a computer from your employer or your own personal PC.

Every other modern platform — Android, ChromeOS, macOS, and iOS — offers storage encryption by default. With Device Encryption, Windows 11 now offers encryption on most new devices by default. That will be even more true in the fall of 2024, when Windows 11’s 24H2 update will enable Device Encryption on more PC hardware configurations.

Want more Windows analysis that cuts through the jargon and explains what really matters? Check out my free Windows Intelligence newsletter — I’ll send you three things to try every Friday. Plus, get free copies of Paul Thurrott’s Windows 11 and Windows 10 Field Guides (a $10 value) for signing up.